• Home
  • About
  • 151 IMPACT AWARDS
  • Subscribe
  • Conference
  • Events Calendar
  • Webcast151
  • MOTB
  • Log In
  • Register

Room 151

Impact Awards –>
  • Treasury
  • Technical
  • Funding
  • Resources
  • LGPS
  • Development
  • 151 News
  • Blogs
    • David Green
    • Agent 151
    • Dan Bates
    • Richard Harbord
    • Stephen Sheen
    • James Bevan
    • Steve Bishop
    • Cllr John Clancy
    • David Crum
    • Graham Liddell
    • Ian O’Donnell
    • Jackie Shute
  • Interviews

Data Protection: New regulation is on the way, are you ready?

0
  • by Guest
  • in Blogs · LGPSi
  • — 12 Dec, 2017

Photo: Geralt/Pixabay, CC0

Stringent new rules for the management of data are on the way with implications for LGPS. Kirsty Bartlett explains the key stages for achieving compliance.

On 25 May 2018 the General Data Protection Regulations (GDPR) will come into force across the European Union. This represents a significant challenge to LGPS administering authorities: there is a lot to do from a pension perspective to demonstrate compliance with the new laws.

The underlying concepts of GDPR will be familiar from existing UK legislation (the Data Protection Act 1998), but some of the detailed requirements are tougher and the process for demonstrating compliance will change. The risks of getting it wrong are significantly greater – the maximum fine will increase from £500,000 to €20m (or 4% of global turnover if higher, although it’s not clear how this would apply to an administering authority).

Stage 1: Data mapping
Administering authorities are data controllers of the information they collect in order to pay pension benefits. Under GDPR data controllers must on request provide the Information Commissioner’s Office (ICO) with a written record of personal data they hold, the legal basis for doing so, how it is processed and safeguarded and how long it is held for.

This data map must cover administering authorities and any data processors. In practice, it is recommended that any other data controllers with whom administering authorities share personal data (e.g. scheme employers) are included in the data mapping process: the reputational risk of a data breach concerning LGPS data will inevitably spread to administering authorities even if they are not at fault.

Data mapping is the gateway to GDPR compliance: the remaining stages all flow from understanding how personal data is currently processed. It is a complex process that will inevitably require input from a number of third parties; administering authorities need to contact any third party administrator, their actuary, auditor, legal adviser, occupational health provider, AVC providers, etc. It is not uncommon for funds to involve a dozen, or more, data processors in their data map. And that’s before considering several hundred participating employers.

The key message is to start your data mapping now if it is not already underway. Asking data processors to complete a standard questionnaire can help to manage the process more efficiently and provide responses in a common format to ease analysis and further due diligence. Your legal adviser should be able to assist.

Stage 2: Updating processes

Once the data map is complete, administering authorities should consider if their current processes are adequate. GDPR is an opportunity to keep pace with best practice not just a form-filling exercise. Risk registers and policies should be reviewed and updated where necessary.

As a minimum, administering authorities should have a breach response plan to enable them to report serious breaches of GDPR to the ICO within the maximum 72 hour period; they should also have a process to comply with the new shorter timescales for dealing with subject access requests.

Public authorities are required to appoint a data protection officer and administering authorities are likely to have a wider GDPR compliance plan that will need to involve those responsible for LGPS funds. However, having a data protection champion within the LGPS team could be a useful practical step. The personal data held for LGPS fund purposes is necessarily a high risk area for administering authorities: it is exactly the type of data attractive to fraudsters and it is necessarily held for an extremely long time.

Stage 3: Reviewing contracts

All contracts with third party data processors will need to be reviewed and updated before May 2018. The requirements for contracts to comply with GDPR are more stringent than under current UK law and data processors will have direct legal obligations and liabilities. Some data processors may look to pass all, or some, of those liabilities back to data controllers under their contracts.

At least one large consultancy has already written to all clients looking to impose a standard GDPR contract amendment by notice: those who don’t object will be deemed to have accepted the new wording. Administering authorities will need to review any wording put to them, or require data processors to accept the fund’s own standard contract amendments.

Stage 4: Communications with members

All LGPS fund members should be issued with an updated privacy notice before May 2018, informing them what personal data is held, how it is processed and how long it will be held for. GDPR is more prescriptive, so current notices are unlikely to comply. GDPR also requires privacy notices to be easy to understand, which represents a real challenge given the mandatory content.

The good news is that administering authorities will not need to seek individual member consent to collect and process personal data for their LGPS funds. Obtaining consent under GDPR is a more difficult process and it must be capable of being withdrawn at any time. Instead, administering authorities can rely on their legal obligation to comply with the LGPS Regulations as the basis for which they collect and process personal data.

Some circumstances will require special consideration. Personal data relating to health or sexual orientation come with a higher standard of protection, so communications dealing with ill health pensions and survivor benefits need to be revisited. Administering authorities may decide it is impractical to issue a privacy notice to every potential dependant included on an expression of wish form, but they could tell members to inform their nominees that personal data has been provided to the LGPS fund.

GDPR is unlikely to change fundamentally how administering authorities process personal data, but there is a lot of legwork needed between now and May 2018 to demonstrate compliance. Brexit is no silver bullet: the Data Protection Bill currently going through Parliament will enshrine GDPR into UK law. Authorities needing additional resource can contact the LGPS Frameworks to engage an appropriate third party adviser.

The world will not stop turning on 25 May 2018 but, if you do have a data breach, the ICO will be more sympathetic if administering authorities have taken significant steps towards GDPR compliance before then.

Kirsty Bartlett

Kirsty Bartlett is a partner
at Squire Patton Boggs (UK) LLP.

Share

You may also like...

  • New realities of investing cash and liquidity: “What to do now?” 13 Jan, 2021
  • James Goudie, QC: Council commercial investments and treasury management James Goudie, QC: Council commercial investments and treasury management 20 Dec, 2017
  • REIT investment: How local authorities can support social housing 21 Sep, 2020
  • Carry on carrying… Carry on carrying… 3 Dec, 2012

Leave a Reply Cancel reply

You must be logged in to post a comment.

  • Register to become a Room151 user

  • Latest tweets

    Room151 3 days ago

    Impact Awards: Liverpool’s cafe culture and Warrington’s investment in homes: The CCLA/Room151 Impact Awards showcase  finance teams with a direct impact on their local communities and the environment. This week we spotlight Liverpool City Council’s… dlvr.it/RxJsKb pic.twitter.com/dEYpaz6HP0

    Room151 3 days ago

    Doing something in #localgov #finance for housing or regeneration? Check out the 'Place Shaping' category room151.co.uk/impact-awards/… sponsored by @31tenConsulting in the CCLA/Room151 Impact Awards. #timetoenter !! pic.twitter.com/dU99vE6Wws

    Room151 4 days ago

    Doing something in #localgov #finance for Adult Social Care & Health? Check out the ASC&H category room151.co.uk/impact-awards/… sponsored by Fundamentum Social Housing REIT in the CCLA/Room151 Impact Awards. #timetoenter !!

    Room151 4 days ago

    Doing something in #localgov #finance for the environment? Check out the 'carbon management' category room151.co.uk/impact-awards/… sponsored by @ACSLLP in the CCLA/Room151 Impact Awards. #timetoenter !!

    Room151 4 days ago

    So what are the seven categories for the CCLA/Room151 Impact Awards? Here they are room151.co.uk/impact-awards/… #localgov #finance #outcomes

    Room151 4 days ago

    Why should LGPS be concerned about rising inflation?: The impact of the coronavirus pandemic, lockdown and wider economic uncertainty created  deflationary pressures which raise important considerations for the Local Government Pension Scheme writes… dlvr.it/RxF7Fs pic.twitter.com/JlcjROBIpz

    Room151 4 days ago

    JOB ALERT: LPFA Finance Director vacancy: London Pensions Fund Authority Finance Director and s151 Officer Competitive salary and benefits The largest Local Government Pension (LGPS) provider in London with around £6.5 billion of assets and 135[...] dlvr.it/RxBdJP

    Room151 5 days ago

    Richard Harbord: Further signs that local government finance is failing: The crisis in Liverpool and a fix for education budgets are further indication that local government finance is in need of a root and branch review. Even for those students[...] dlvr.it/Rx9PSV pic.twitter.com/sAanC2gEyu

    Room151 2 weeks ago

    Impact Awards: Finance helps launch school meals company and support business during lockdown: The CCLA/Room151 Impact Awards will showcase the way finance teams have a direct impact on their local communities and the environment. This week we spotlight… dlvr.it/RwnlF4 pic.twitter.com/AJhne1MVG4

    Room151 2 weeks ago

    "This work has made a vital, practical contribution to ensuring people have been supported through the pandemic." #impact #151awards #covid #s151 room151.co.uk/treasury/impac… #impactcasestudies #councilfinancemakesadifference

    Room151 2 weeks ago

    room151.co.uk/impact-awards/ #passiton #localgov #s151 #151awards pic.twitter.com/A0uO0dwBkM

    Room151 2 weeks ago

    Financial pressures loom for 2023 and beyond: Kate Ogden writes the government has addressed most of the short-term Covid-19 financial pressures facing English councils, but problems loom in 2022-23 and the years following. As we enter the[...] dlvr.it/RwfDsz pic.twitter.com/hpv2R09w75

    Room151 2 weeks ago

    Calling all #localgov finance officers and #s151s room151.co.uk/impact-awards/ It's the #151Awards Thanks to the @LGALocalism for helping us get the word out along with all the LA treasury societies. pic.twitter.com/Nkal9BrH1J

  • Categories

    • 151 News
    • Agent 151
    • Blogs
    • Chris Buss
    • Cllr John Clancy
    • Dan Bates
    • David Crum
    • David Green
    • Development
    • Forum
    • Funding
    • Graham Liddell
    • Ian O'Donnell
    • Interviews
    • Jackie Shute
    • James Bevan
    • Jobs
    • LGPSi
    • Mark Finnegan
    • Recent Posts
    • Resources
    • Richard Harbord
    • Stephen Fitzgerald
    • Stephen Sheen
    • Steve Bishop
    • Technical
    • Treasury
    • Uncategorized
  • Archives

    • 2021
    • 2020
    • 2019
    • 2018
    • 2017
    • 2016
    • 2015
    • 2014
    • 2013
    • 2012
    • 2011
  • Previous story Greenpiece: The birth of green bonds
  • Next story Q&A: Jason Fletcher of LGPS Central on understanding investment management costs

© Copyright 2021 Room 151. Typegrid Theme by WPBandit.